When Text Turns Toxic: Unicode’s Secret Role in Cyber Attacks

Security researchers have uncovered a striking vulnerability in OpenAI’s Codex cloud environment that demonstrates how something as seemingly harmless as a branch name can be weaponized. The flaw allowed attackers to steal GitHub authentication tokens simply by embedding malicious commands into the naming convention of a repository branch.

The Discovery

The research, conducted by BeyondTrust Phantom Labs, revealed that Codex failed to properly sanitize input when processing GitHub branch names during task execution. This oversight opened the door for attackers to inject arbitrary commands into the system. Once executed inside the agent’s container, those commands could exfiltrate sensitive authentication tokens, effectively granting unauthorized access to connected GitHub repositories.

The Invisible Payload

What makes this attack particularly insidious is the way the malicious payload was hidden. The researchers leveraged a Unicode character known as the Ideographic Space (U+3000). By appending 94 of these invisible spaces followed by the phrase "or true" to a branch name, attackers could bypass error conditions while concealing the exploit from human eyes.

To a developer glancing at the branch name in Codex’s interface, the payload appeared invisible. Yet Bash, the shell executing the command, ignored the spaces and dutifully ran the injected code. This clever obfuscation meant that even vigilant users could miss the threat entirely.

Scaling the Attack

The attack wasn’t limited to a single user. With sufficient repository permissions, an attacker could create a poisoned branch and even set it as the default. Anyone interacting with that branch through Codex — whether via the ChatGPT website, Codex CLI, SDK, or IDE extension risked having their GitHub OAuth token siphoned off to an external server.

Phantom Labs demonstrated the exploit by hosting a simple HTTP server on Amazon EC2, confirming that stolen tokens were successfully transmitted.

Beyond Token Theft

The vulnerability extended further than OAuth tokens. Researchers found that GitHub Installation Access tokens could also be stolen by referencing Codex in a pull request comment. This triggered a code review container that executed the hidden payload. Additionally, locally stored authentication tokens in the auth.json file on developer machines could be exploited through backend APIs, broadening the attack surface.

Why It Matters

The incident highlights a growing concern: AI coding agents with privileged access introduce new risks that traditional security tools cannot easily detect. Antivirus software and firewalls are powerless against attacks that occur inside cloud environments managed by third-party AI platforms.

This discovery underscores the importance of auditing permissions for AI tools, enforcing least privilege principles, and monitoring repositories for unusual branch names, especially those containing Unicode characters. Regular rotation of GitHub tokens and vigilant review of access logs are also critical defenses.

The Aftermath

OpenAI’s security team worked with Phantom Labs to remediate the reported issues, closing off the vulnerability. Yet the episode serves as a cautionary tale. As AI-driven development environments become more integrated into workflows, attackers will continue to look for creative ways to exploit overlooked details — even something as mundane as a branch name.

© 2026 AllComputerss. All rights reserved.